1

I have seen many articles on LWN about allowing for dynamically loadable Linux security modules (LSM), but it is impossible to find concrete information on how it can be done. The LSM hooks (I don't know if this is the right term) aren't exported in the kernel anymore, but their addresses can be retrieved with kallsyms_lookup_name and then assigned to function declarations.

There are some mentions of LSM hooks not being unloadable, but is this true? What does it even mean? If a Linux loadable kernel module registers some hooks, is it unable to unregister them later? Why is this case? Is there a workaround or a way to force them to unload?

Do dynamically loadable LSMs have to be written differently than built-in LSMs? Or do both use the same conventions and interfaces?

Rachid K.
  • 4,490
  • 3
  • 11
  • 30
Melab
  • 2,594
  • 7
  • 30
  • 51

1 Answers1

0

It's technically possible to hotpatch the kernel to add hooks to anything. https://stackoverflow.com/a/6742086/2079814

Another possibility is to leverage kpatch to inject an LSM.

Neither of these options would be considered best practice, but should work in theory. I haven't seen the latter method (kpatch) done before.

Manouchehri
  • 100
  • 1
  • 6